Twitter is under investigation by Irish privacy authorities over its refusal to provide information about how twitter tracks him/her when clicks on links in tweets.
Whenever a person adds a link into a tweet, twitter converts the link through their link-shortening service, t.co. Twitter says they use the t.co to measure how many times a link has been clicked and helps it fight the spread of malware through cloaked links.
Twitter Under Formal Investigation for How It Tracks Users in the GDPR Era
Michael Veale, a privacy researcher who works at University College London, suspects that Twitter gets more information whenever a person clicks on a link in a tweet, and he is diverting through t.co. According to Michael, Twitter might be leaving cookies into their browser to track what the are looking on the web.
Veale asked Twitter to provide him with all the personal data Twitter holds on him, as it is his right under new General Data Protection Regulations.
Twitter refused to provide the data; they record when Veale clicked on a link in other people’s tweets saying providing this information would take relatively too large effort for a small task. Back in August Veale complained to Irish Data Protection Commission (DPC), they informed Veale on Thursday about opening an investigation. Twitter’s European operations are operated from Dublin, that’s why Veale complained in Ireland.
“The DPC has initiated a formal statutory inquiry in respect of your complaint,” the watchdog said in a letter to Veale. “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
The regulatory authority also said the complaint was to be handled by the new European Data Protection Board. It is a body that helps national data protection authorities coordinate their GDPR enforcement efforts – as Veale’s complaint “involves cross-border processing.”
“When Twitter told Veale that it would not hand over the data it held on his tracking via t.co links, it claimed the GDPR allowed it to do so on “disproportionate effort” grounds. However, Veale said Twitter was misinterpreting the text of the law, and that this exemption cannot be used to limit so-called access requests, such as the one he made.”, reported by Fortune.
It is first ever GDPR investigation opened about Twitter. Veale recently prompted a similar case into Facebook, and they refused to hand over data held on users “web-browsing activities.” Facebook is already under investigation of multiple GDPR complaints.
“Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests,” said Veale.
“The user has a right to understand,” Veale said.
When a company is found to be breaching terms of GDPR, they face fines of $23.2 million or 4 percent of global annual revenue. That means if a company’s 4% annual revenue is greater than $23.2 million they will have to pay by percentage. Twitter had $2.4 billion revenues in 2017, that means a GDPR find could cost $96 million to the company.
Twitter has not said anything about the investigation so far.